From e81d17ee8ee214544b6dd52de145ad704e69fa12 Mon Sep 17 00:00:00 2001 From: darkain Date: Tue, 9 Oct 2012 18:09:07 -0700 Subject: IP Range to CIDRs not calculating properly Several IP address ranges were being calculated improperly. Examples: 10.0.0.0-10.255.255.255 became 160.0.0.0/8 65.113.241.0-65.113.241.255 became 130.227.226.0/24 72.165.61.0-72.165.61.255 became 145.74.122.0/24 The use of complicated string and regular expressions to calculate netmasks has been replaced with basic and proper bit masking. --- config/pf-blocker/pfblocker.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'config/pf-blocker') diff --git a/config/pf-blocker/pfblocker.inc b/config/pf-blocker/pfblocker.inc index 1c107dc4..d2080d04 100755 --- a/config/pf-blocker/pfblocker.inc +++ b/config/pf-blocker/pfblocker.inc @@ -70,9 +70,9 @@ function pfblocker_Range2CIDR($ip_min, $ip_max) { if ($bits < 0) return ""; #identify first ip on range network - $network=long2ip(bindec(substr(decbin($ip_min_long),0,$bits).preg_replace("/\d/","0",substr(decbin($ip_min_long),0,(32-$bits))))); + $network=long2ip($ip_min_long & (2<<32)-(2<<(32-$bits))); #print decbin($ip_min_long)."\n".$network."\n"; - return $network . "/". (32 -strlen(decbin($ip_max_long - $ip_min_long))); + return $network . "/". $bits; } function sync_package_pfblocker($cron="") { -- cgit v1.2.3 From 83f8ac2d59dc43987d87299e954f3b664c12f0d2 Mon Sep 17 00:00:00 2001 From: darkain Date: Tue, 9 Oct 2012 19:08:12 -0700 Subject: Fixing duplicate IP/Range entries Because all three cases (CIDR, IP Range, and Single IP Address) are always tested, it is possible that more than one will have a positive match. Examples: 172.16.0.0/12 matches both for CIDR and Individual IP Address 169.254.0.0-169.254.255.255 matches for both Address Range and Individual IP By doing if, elseif, elseif instead of if, if, if testing, the later tests will only be performed if the former tests fail. Because the Individual IP Address test will return a result, even for CIDRs and IP Ranges, that test has been moved to the end of the elseif list. --- config/pf-blocker/pfblocker.inc | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'config/pf-blocker') diff --git a/config/pf-blocker/pfblocker.inc b/config/pf-blocker/pfblocker.inc index d2080d04..64171b01 100755 --- a/config/pf-blocker/pfblocker.inc +++ b/config/pf-blocker/pfblocker.inc @@ -288,16 +288,6 @@ function sync_package_pfblocker($cron="") { $new_file=""; if (is_array($url_list)){ foreach ($url_list as $line){ - # CIDR format 192.168.0.0/16 - if (preg_match("/(\d+\.\d+\.\d+\.\d+\/\d+)/",$line,$matches)){ - ${$alias}.= $matches[1]."\n"; - $new_file.= $matches[1]."\n"; - } - # Single ip addresses - if (preg_match("/(\d+\.\d+\.\d+\.\d+)\s+/",$line,$matches)){ - ${$alias}.= $matches[1]."/32\n"; - $new_file.= $matches[1]."/32\n"; - } # Network range 192.168.0.0-192.168.0.254 if (preg_match("/(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)/",$line,$matches)){ $cidr= pfblocker_Range2CIDR($matches[1],$matches[2]); @@ -306,6 +296,16 @@ function sync_package_pfblocker($cron="") { $new_file.= $cidr."\n"; } } + # CIDR format 192.168.0.0/16 + else if (preg_match("/(\d+\.\d+\.\d+\.\d+\/\d+)/",$line,$matches)){ + ${$alias}.= $matches[1]."\n"; + $new_file.= $matches[1]."\n"; + } + # Single ip addresses + else if (preg_match("/(\d+\.\d+\.\d+\.\d+)\s+/",$line,$matches)){ + ${$alias}.= $matches[1]."/32\n"; + $new_file.= $matches[1]."/32\n"; + } } } if ($new_file != ""){ -- cgit v1.2.3 From a32fc3f11a09385eaf7709d99158363cdbf5e608 Mon Sep 17 00:00:00 2001 From: Vince Date: Wed, 10 Oct 2012 11:04:55 -0700 Subject: Net masking math was off by 1 Net masking math was off by 1 --- config/pf-blocker/pfblocker.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/pf-blocker') diff --git a/config/pf-blocker/pfblocker.inc b/config/pf-blocker/pfblocker.inc index 64171b01..53e2453e 100755 --- a/config/pf-blocker/pfblocker.inc +++ b/config/pf-blocker/pfblocker.inc @@ -70,7 +70,7 @@ function pfblocker_Range2CIDR($ip_min, $ip_max) { if ($bits < 0) return ""; #identify first ip on range network - $network=long2ip($ip_min_long & (2<<32)-(2<<(32-$bits))); + $network=long2ip($ip_min_long & (2<<32)-(2<<(31-$bits))); #print decbin($ip_min_long)."\n".$network."\n"; return $network . "/". $bits; } -- cgit v1.2.3 From 0d249b9d1b59555bb97491b48743d8455ff3039f Mon Sep 17 00:00:00 2001 From: Vince Date: Wed, 10 Oct 2012 14:27:43 -0700 Subject: Small cleanup for readability Small cleanup for readability --- config/pf-blocker/pfblocker.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/pf-blocker') diff --git a/config/pf-blocker/pfblocker.inc b/config/pf-blocker/pfblocker.inc index 53e2453e..58b93bb5 100755 --- a/config/pf-blocker/pfblocker.inc +++ b/config/pf-blocker/pfblocker.inc @@ -70,7 +70,7 @@ function pfblocker_Range2CIDR($ip_min, $ip_max) { if ($bits < 0) return ""; #identify first ip on range network - $network=long2ip($ip_min_long & (2<<32)-(2<<(31-$bits))); + $network=long2ip( $ip_min_long & ((1<<32)-(1<<(32-$bits))-1) ); #print decbin($ip_min_long)."\n".$network."\n"; return $network . "/". $bits; } -- cgit v1.2.3